4 Malicious Chrome Extensions Put 500k Users at Risk of Click Fraud

Presence of spyware and malware in Chrome browser extensions we use to surf the web is nothing new as every other day we hear about a new strain of malware identified in an extension. Sometimes even the extension turns out to be fake and a piece of malware.

According to a report from ICEBRG, four Google Chrome extensions have been identified as malicious and targeting more than half a million Chrome users as well as workstations of a majority of high-profile organizations operating globally. The four extensions include:

Change HTTP Request Header

Lite Bookmarks

Nyoogle – Custom Logo for Google

Stickies – Chrome’s Post-it Notes

It is worth noting that Lite Bookmarks and Change HTTP Request Header have been removed from official Google Play Store.

Change HTTP Request Header extension

The findings of the research were published in a blog post on Monday 15th January by two ICEBRG researchers namely Justin Warner and Mario De Tore. As per the report, these malicious extensions contain suspicious coding that affected over 500,000 users worldwide including corporate workstations. The extensions are used to carry out “click fraud” and “search engine optimization (SEO) manipulation.”

Moreover, these offer a strong foothold to threat actors because they can leverage these extensions to obtain access to corporate networks and user information. These extensions were discovered while the team of researchers at ICEBRG was investigating the sudden increment in outbound network traffic between a European VPS provider and a customer’s workstation.

“Chrome’s JavaScript engine evaluates JavaScript code contained within JSON. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP),” wrote Warner and De Tore.